SANS GCIH CERTIFICATION GUIDE: Created by Michael LaSalvia 2/2010 Hosted on: http://www.digitaloffensive.com BOOK 504.1 A. Incident Handling Process 6 steps (Preparation, Identification, Containment, Eradication, Recovery, Lessons Leaned) B. What is incident handling? An action plan for dealing with the misuse of a computer systems and network. C. What is an event? Any observable occurrence in a system and / or network. D. What is an incident? Is an adverse event in an information system / and or network. 1. Preparation Page 15 2. Identification Page 46 - Cheat sheets: Page 58 3. Containment Page 92 4. Eradication Page 111 5. Recovery Page 117 6. Lessons Learned Page 121 7. Incident Tips Page 130 a. Espionage Page 131 b. Unauthorized use Page 138 c. Insider Threat Page 151 d. Intellectual Property Page 164 i. Patent Page 167 ii. Copyright Page 168 iii. Fair use Page 169 iv. Trademark/Servicemark Page170 v. Trade Secrets Page 173 vi. PICERL for intellectual Property Page 174-179 8. Law, Crime and Evidence Page 180 a. Criminal vs. Civil Page 182 b. Arrest/False Arrest Page 183 c. Search/Seizure with and without a warrant Page 184-185 d. US Cyber Crime Laws Page 187-189 i. Cyber Security Enhancement Act of 2002 1. Title 18 sec 1362: Prohibits malicious injury or destruction of com equip 2. Title 18 sec 2510: wire & electronic inter and inter of oral coms, 3. Title 18 sec 1030 Computer fraud financial (MONEY) government , foreign Canada: Criminal code of Canada sec 184: Interception and 384 unauthorized Page 191 g.4. Japan: Law no. e. 10 years. Sec 202c: Anti Hacking Law (no hacking tools. Singapore: Chapter 50a : Comp misuse act Page 196 9. United kingdom: Comp misuse act of 1990 Page 190 f. 2009 tools only with criminal intent) iii. Germany: Page 192-193 i. Sec 202a: Data espionage ii. Linux Page 223 . Sec 303b: Computer Sabotage h. Sec 303a: Alteration of data iv. Australia: Cybercrime Act 2001 Page 194 i. Title 18 sec 2701: stored wire & elect com & transactional record access. 128 of 1999 Unauthorized comp access law Page 195 j. Maltego: intelligence gathering tool by. War Dialers: dials number looking for modems and secondary dial tone. generalize job openings. design docs and so on Page 32-35 a. search partner sites.com/addurl. Useful for SE. Including nameservers Page 20-21 a. b. Google Maps (View physical security of a building. The Golden Age Page 15 . Defense: Use split DNS (internal and external). filetype and ext (the same. Contacts. Identification: look for zone transfers 4. Defense: robots. c.SANS GCIH CERTIFICATION GUIDE: BOOK 504. info. Google: Johnny Long and GHDB.000 numbers an hour. harden servers b. search job sites. search social media sites. maps relationships using transforms Page 50-52 a. b. Defense is to just deal with it. Web Site Searches: Search targets site. Warvox: Uses voip accounts can do 1. Use to find vulnerabilities Page 37-48 i. blogs and newspapers. NOSNIPPET. pdf & so on). Use the results to try to access systems Page 11 Page 12 3. Wikto w/ AURA & SecApp GHDB 6. Identification: Search for crawler traffic and mass site downloads 5. better to just use doc. Attack for fun and profit: Reconnaissance: 1. link. contacts. Press releases. Whois: Allows you get information on domains and IP. DNS interrogation: Uses information from a whois to pull additional info. NOFOLLOW. Defense: make sure your data is accurate and scan yourself. Authoritative DNS) Page 19 a. Removal /help/pbremoval.txt (NOINDEX. Phonebook searches (phonebook: and REVERSE:). d.) wild card for a single character e. War Dialing and scanning 2. Search directives: i. b. 7. roads. spoof caller ID and call as self. Phone. THC Scan (newest version can be sued on botnet) b.html c. and protect directories from crawlers.html . Page 56-64 a. Automated Google w/ Key: Site digger and Wikto / Without Goolag. Software Distro Site Attacks Page 13-14 4. inurl. Identification impossible 3.2 Trends: 1. cache. intitle. (-) and word (+) and word (. Ask that inaccurate / damaging data be removed. Defense: limit what is posted. limit zone transfers. Conduct self searches. Domain Name Registration (Address. site. doors & so on. Hacktivism: 2. Page 26-30 a. NOARCHIVE) removal of content and re-crawl site google. Starts with large TTL and will adjust till it find the correct TTL and then starts counting backwards. More efficient mapping of larger networks using. e. stateful firewall and proxy. Defense: reassemble packets before IPS ?IDS. Sends 4 packets to check if host is up ICMP ECHO Request. allows you to act as requested resource can be tied into metasploit. defense above Page 126-128 12. netstat and checkconfig Page 115-119 e. GET Request: passing parameters values on the url b. Xprob2 Page 95-120 a. mostly NESSUS info Page 151-164 16. b. Linux c. Good code (scrub bad parameters) 17. CowPatty d. predictable Page 105-108 c. Keep up to date. Fragmentation Attacks: breaking up a packet to bypass IDS Page 137-145 a. Network Mapping / Nmap: Tracert. Null Sessions: Enum. Remove default scripts and directories. use a vpn tunnel. Active OS Finger printing Page 111-113 d. Namp IP Spoofing and Idle Scan: IP Identification field. Tools: netstat. wmic. Wellenreiter: Passive scanning. POST Request: passing parameters in the body c. 11. packet capture. host based IPS/ IDS. 10. GPS tie in. look for rouge devices. PHP. mac address filtering. ASLEAP. responds to all probe requests. zenmap gui Page 85-94 a. net view. Non attractive SSID or no SSID. smbclient Page 179-210 . Tiny fragmentation b. TCP SYN to port 443 and TCP ACK to 80 if running as UID 0 or if not then syn. 15. Fragrouter & Fragroute: tools too fragment packets and bypass IDS/IPS Page 146-148 a. Nmap: Now uses PN (NO PING). fport. Defense: turn off service not needed. Whisker. traceroute and nmap. Port Scanning/ Active OS: Nmap. War Driving / wireless: Page 66-81 a. wireless IPS / IDS (ARUBA. SRC IP and DST IP b. better placement of AP.8. net use. Cracking & Sniffing: Kismet. relies on SSID. Patch and harden. Vulnerability Scanning: Nessus. d. SATAN and so on. i. Netstumbler: limited driver support. Zenmap: Visual Graphing of the network map based on the results from nmap. Karma: pretends to be everything. wepCrack. IPS/ IDS. Motorola) 9. JSP. Defense: Disable incoming ICMP echo requests and outbound time exceeded. e. Traceroute: Uses low TTL and ICMP time exceed message to map. ominpeek. Overlapping fragmentation 14. Passive OS: P0F2: Uses a sniffer and database for matching. IDS Invasion Page 165-178 a. c. Nmap scan type Page 101 b. ICMP Timestamp request. aircrak-ng. make sure your IPS/IDS properly speced. Active. Web: CGI. Defense: WPA or better. Defense: Run server with least privilege. IP gathering. IP Headet: TTL. sc. Firewalk allows you to determine what ports are open on a firewall Page 130-136 13. winfingerprint. Change OS identification info. Increases each by 1 after a time exceed till it hits host. ASP: Nikto scanner. Gratuitous ARPS: send a arp response without a request. Transferring files with Netcat Page 21-22 e. filter ports. Vulnerability scanning and port scanning Page 23 f. use encryption on network. Sniffers: Passive = Wireshark. WEbmitm. lock ports to mac. webspy Page 60-62 h. persistent backdoor & reverse shells (-e) Page 25-27 g. c. f. Active = Dsniff Page 49-75 a. use ssh v2. Defense: Know what is on your system. Backdoors. SSHmitm. Or to confuse the switch that two ports are the same machine. arpsoof. tcpnice. Dsniff: tcpkill. d. Take out src or use arp cache poisoning. and msgsnarf. SSLstrip Page 63-70 i. Listen mode: nc –l –p 22 c. Warning messages from SSL and SSH. Arp Maps IP (network layer) to Mac (data link layer) c.SANS GCIH CERTIFICATION GUIDE: BOOK 504. Defense: Anti spoofing enable.4 and earlier. Defense: hard code ARP table on important LAN’s. disable source routing 2. Ack storms get created while they try to figure what is going on. url. Source Routing spoofing: A router on the path to victim must allow source routing. Netcat (nc): Swiss army knife. Like Linux cat Page 16-48 a. Ettercap Page 81 . Macof: flood switch bogus MAC addresses. Relays: windows use a bat file and linux use backpipe Page 28-30 h. Finding a session and using tcp sequence to hijack as session b. Hub = broadcast. Change the IP: incomplete handshake. tcpkill and so on Page 54 d. Detect: local: ifconfig on kernel 2. Remotely: EtherARP. traffic to all ports || Switch = uses cam and arp to match physical port and IP. c. Arpspoof: Uses are arp cache poisoning by sending false ARP messages into a LAN.4 or later. Good for trust relations on Linux such as R services. multiple version & variations. Exercise and examples Page 35-48 i. close un needed services. messed up arps 4. MITM: DNSpoof. Dsniff Components: dsniff. arp cache poisoning. mail. NC can do source routing. good for a DOS b. b. g. 3. promqry and a few others. macof. e.3 1. filesnarf. Sentinel. trying to fill CAM table to cause the switch to become like a hub. Session Hijacking: Uses spoofing and Sniffing. ip link: kernel 2. Session based protocol Page 77-86 a. Netcat command switches: Page 20 d. IP Address Spoofing: Page 5-15 a. a. TCP sequence # guessing: Requires you to knock the spoofed IP off line and guess sequence #. Client mode: nc IP 22 b. Format string exercise: Page 183-209 . Safe and secure code development. Kaminsky the best Page 97-111 7. Routines for development: find the exact RP. Meterpreter: hides in exploited process. src code review. Allows you to write anywhere in memory. Step 2: Push exploit code into mem: a. multi-purpose Page 136-137 b. Use NOP sleds: better chances that your code will be executed. File & protocol parser overflows: Page 151-155 10. Format string attacks push to the stack in reverse order a. Google Code Search & micorosft !exploitable tool b. e. msfelfscan and msfpescan to check exe and libraries for signs of vulnerabilities. watch for null char c. tailored to processor. safe programing practices. Little endian = Intel: \xc0\xfa\xff\xbf = 0xbffffac0 c. Defense: Apply patches. a. Step 1: Find potential overflows: search code for weak func Page 121 a. Small machine code. Cram input: Search input: A= 0x41: ABDEF Page 125 b. 9. %n prints the value of user input c. snprintf. Buffer Overflow: due to not properly checking data input Page 113-129 a. DNS cache poisoning: 3 ways. %x print hexadecimal value b. c.5. Metasploit: Frame work for exploiting and development Page 131-150 a. %d decimal interger b. Curious user input %x %d %n. Defense of buffer overflows: non executable stack and DEP Page142-150 i. Step 3: Setting the return pointer: Hardest part a. Analyze the code b. overwrite user credentials and so on. Guess c. Arp and mac Exercise Page 90-96 6. d. Format String Attacks: caused by no format string in printf. sprint Page 157-183 a. 8. Very weak i. includes the ability to crack passwords. $8 byte salt. vi. modification. Pre-generated Tables: Rainbow tables. hashed using MD4 Page 18 7. Cracks: LANMAN.SANS GCIH CERTIFICATION GUIDE: BOOK 504. NT Hashes: Better then LANMAN. Windows: Don’t use salts so hashes are the same b. Dictionary Attack: Fastest method uses a list of words (dictionary). b. Don’t use for migrating users. get permission.password/salt hash =value i. Cain supports Rainbow tables for cracking using winrtgen. Hybrid attacks in Cain or other tools work the best. Salt =vqQO0mlr. MORE ON Page 26 iii. NT HASH. no brute force. already has hashes Page 21 10. many protocols Page 7 4. Hybrid: builds on dictionary by adding #’s and symbols to dictionary words like password1 d. $1 = md5 . also checks concatenation of words. Split the 14 char into two 7 char strings. Features: Page 24 ii. Cain & Abel: Is two tools. Windows = SAM Linux = /etc/shadow 2. Cain collects & Abel is a remote Page 22-28 a. c. they are feature rich. removal Page 5-52 a. $encrypted salted password 9. $= delimited. dictionary. use precomputed dictionary 8. Password Guessing: use a valid ID and try a list of passwords. THC Hydra: Password guessing. guarantee to crack dependent on time and encryption algorithm. Salts: Random number used to seed crypto algorithm Page 19 a. 5. Upper &Lower Case. Users with identical passwords have same hash. The empty pad is AAD3B43 (shows in cain for passwords that are less then 8) v. each 7byte string is a DES key iv. Cain: collects a lot of information. Padded to exactly 14 char and all upper case iii. STORE: $1$ vqQO0mlr JvrqDBUVi7jYU6Ddr7G2 ii. Password Representations are stored hashed or encrypted passwords. NO Salts ii. MD5 crack.exe. Brute Force: Trys every possible combination. LANMAN and NT Hashes: a. Password cracking is good for auditing and recovering. Abel: Is a remote tool almost like a backdoor (dump remote password hashes) b. Password Cracking: Determine the password w/ just the cipher text password rep Page 8-13 a. ALT char makes it take longer months or years 6. Linux: Uses salts: salt =random. password/salt hash =JvrqDBUVi7jYU6Ddr7G2. dictionary support. LANMAN Hashes: Found on win NT/2K/XP/2003 Page 15-17 a. simple hybrid and brute force attacks .4: 1. i. sniffer and much more. slow Page 6 3. arp cache poison. 14 char or less passes are hashed. Password Cracking: protect from unauthorized disclosure. Good for lsass. PSHtoolkit: For windows Page 55 c. b. Unix Password file and Shadow file: Page 38 15. Multi Exploit worms: Page 61 d. lanman i. John auto supports and detects: BSDI extended DES. Remote VME detection: Page 84 d. Cause legal issues. For linux modified samba code from JoMo-Kun and Foofus Page 55 16. Wordlist. Worms: Spread over the network & Self replicate Page 58-80 a. non standard irc port b. Supports many algorithms b. droppers. Each infection scans for new vulnerable machines. b. d. Defense: Patch.11. Cracked passwords are stored in file john. email. Disable LANMAN: Regkeys Page 32 b. Truman. encrypt hard drive 19.000 first 10. Password Enforcement: Group policy Page 33 c. or guess system escaping to host. + Page 72-80 a. Polymorphic: Page 66-67 i. NTLM1 and 2 b.000 infections take seconds. Virtual Machines: Vmcat. Communication: over IRC. Defense: Page 31-34 a. c. Cracking modes: Single Crack. Worms been around for decades: Morris worm 1988 c. Important to make you code run differently to avoid analyst. To use the shadow file you must unshado it and combine the /etc/passwd and shadow i. SYSkey: Adds an additional 128-bin strong encryption to the SAM Database Page 34 13. smb. g. Unshadow /etc/passwd /etc/shadow > combined 1. Admutate: by k2 h. External Page 40 e. Take over one system and turn that system into an attacker as well. Feed john the combined file. OpenBSD blowfish. Zero day worms Page 63 f. Incremental. 17. Multi Platform worms Page 62 e. John the Ripper: Very fast password cracker focus on Linux but can do windows Page 36-42 a. You must feed it a encrypted password file c. Scoopy Page 82-88 a. FreeBSD MD5. red pill. Metamorphic worms: change appearance and functions Page 69 i. Obtaining hashes: Page 29-30 12. Phatbot: Page 77-79 18. Ethical Worms: using fast moving worms to patch systems. Additional patches are available for other algorithms f. bundled software. Fast Flux: Uses round robin DNS to point to victims that have web proxies that redirect to the real evil host. Pass the Hash Attack: use the stolen hash instead of cracking it for the password Page 53-56 a.pot 14. The rise of the bots: spread through worms. LANMAN challenge response. Warhol / Flash Prescan large amounts of exploitable hosts ie. VME escape Page 85 20. Cracking Web Apps: OWASP . Local VME detection: Page 83 c.10. p2p. websites. waste. Social sites. Finding SQL errors: Page 101 d.SELECT. spread the url c. Exploit Administrative apps g. prevent collision in session id. Conduct network scans / reconfigure routers f. forums. mod_security. stored procedures. Cookie stealing: Site must be vulnerable to xss. Cross Site Scripting: XSS: based on a web app that reflects user input back to a user Page 109-123 a. Use time stamps in session id. Defense: WAF. 22. Must identify a user input field that is vulnerable. SSL and non persistent cookies do not protect session tracking Page 128-129 e. Attacking State: Tracking sessions and altering variables or state to change data Page 125-141 a. URL Session tracking: Session ID is in the URL Page 126-127 b. DOS Tools Page 176 . limit application access to database. Tamper Data: Firefox addin ii. using up all available resources Page 143-186 a. forces tskmgr to increase others to 15 Page 146-147 b. due to domain objects. WAF 23. Defense: sanitize user input. UPDATE Page 100 c.21. not packet flood attack ip stack Page 150-151 c. encrypt cookies 25. DNS Amplification & EDNS: uses large records to amplify dos send spoof small query and get large response back to the host. Page 168-174 f. Start by adding string quotation characters to the input fields. DETECT UNSAFE. Rose: Sends highly fragmented packets writing the last frag over and over. Grabbing more data Page 103 f. Hidden Form elements: in the code of the page. SYN Attack: Attacker either does not respond to the syn-ack or spoofs the src. Page 92-95 a. SQL Injection: Structured Query Language attacks Page 98-107 a. websites. causing half open connections using up all the connections. Fraggle UDP version d. Page 126-127 d. turn off browser scripting. SMURF Attacks: uses broadcast address and spoofing to amplify attack Page 154-160 i. Cookies: Open up and edit. Key is to say either or and not to give the attacker the ability to differentiate. SPIDER. Save a local copy and edit it Page 126-127 c. Paros Proxy: feature rich proxy. Defense: Sanitize user inout. CPU HOG: Sets itself at priority 16. mod_security. Characters: (--) (. Launching attack: email. Error might say invalid user or invalid pass. SSL. Or it can be placed in a url as a variable.)(*)(%)(_) or 1=1. WAF 24. Smurf and papa smurf ii. table names and so on. Denial of Service: local and remote. noscript. Look for errors that can help you execute SQL injection such as database names. DEHASH Page 134 f. Page 163-168 e. Harvest browser history e. Browser addins and Proxies to alter HTTP requests Page 130-136 i. digitally sign or use a keyed hash function. d. b. Getting database structures Page 104 g. Add N Edit cookies: Firefox addin iii. Account Harvesting: Using error messages or URL’s to determine valid user ID’s. Usually JavaScript or VBS is inserted into a user field and the outcome is reflected back to the user. JOIN. Dropping Data Page 102 e. b. egress filtering. turn off un needed services. disable ICMP at GW. DDOS: Use to use special tools. Reflected DDOS: Using zombies and spoofing. Pulsing Zombies: bots attack for short time then go idle iii. most are by botnets now Page 177-187 i.g. block offending IP. . legit site attacks victim ii. Defense: Patching. anti spoofing. HTTP Flooding: Get request blend in h. IDS. Windows: UPX . AFX File Lace (encrypts as well) Trojan man (encrypts) ii. EXE32pack. look for modified reg keys odd ports Wrappers & Packers: used to hide malicious files Page 31-35 a. if it has inet it will work Page 25-26 a. 3. 8. Trojan Horse backdoor: malicious programs can contain both d. Do to using hidden browser it gets through firewalls. Server can run as a service or in app mode. EXEstealth Page 34-35 1. c. Can also shovel a connection to a listening client c. 2. client listens on 5500 when shoveling b. FUTo. Malware Layers: Page 7 a. Saranwrap. though abused often Page14-18 a. Wrappers: Also known as binders. vnc. FU. Create backdoors by wrapping malicious app into a good program i.0. bots) b. i. Firmware: Malicious code loaded in firmware f. 6. Hacker Defender) c. made for legit use. NAT’s and proxies b. super user control kit) d. Rootkit: Alters the OS so it look normal but it is not. ASPack. fingerprinting (tying to OS) 1. Multiple platform support and is used in metasploit d. User mode: Critical OS components replaced (AFX rootkit. Backdoors & Trojans: Page 6-9 a. Silkrope 2000 . Many new malware is using this method. kon-boot) e. Packers: try to thwart reverse engineering or execution of the attack code without the attack doing it. Poison IVY: Page 19 Common remote control backdoor capabilities Page 20-24 Setri: uses OLE to communicate with a hidden browser. Defense: Harden system. Backdoor: a program that allows an attacker to bypass normal security controls on a system. safeweb surfing. Malware Microcode: Malicious CPU Microcode VNC: Virtual network computing. Gui across the network over port 5900. Boot Sector: malicious boot sector alters kernel as it is loaded (Vbootkit2. lrk6. Go through anonymizer and connection broker where scripts run c. password. Trojan: program that looks functional but is really sinister b. Burndump: beats burneye for all modes except password. ii.5 1. use updated AV tools. App Level Trojan horse backdoor: Evil app installed (ivy. Ollydbg: with plugins can unpack many packers. Kernel Mode: Kernel altered (KIS. 4. Users install backdoor first and sees the actual program secondary b. 7. Linux: burneye (three layers of protection.SANS GCIH CERTIFICATION GUIDE: BOOK 504. obf. 5. . Configure not to show in systray. Elitewrap. On live windows: wmic process get name. Iexplore. b. Don’t require modification to individual programs. killall crontab. syslogd 11. View Process: python volatility pslist –f path_to_dump 1. 15. su e. 5 Types of Kernel Mode Root kits: a. pidof. sshd. fix: modifies creation date b. View DLLs & Command Line: python volatility dlllist –p [pid] –f path_to_dump 1. rshd. fastdump. file copies over to system 32 d. win32dd Page 37-62 a. On live windows: netstat –nao | find “ESTABLISHED” iii. Fantasy worl hidden from administrator 20. Memory Analysis: Must get a memory dump first: MemoryDD. AFX Windows root Kit: injects itself it to running DLL or programs Page 75-79 a. When used accounting entries are not written. Identification: Difficult. Important modules Page 38 ii. reinstall and patch. Recovery: Monitor system closely. change passwords 18. Such as explorer. password. KERNEL MODE ROOTKITS 80-122 (run at kernel level and have much more power over the system) 19.dll and explorer. Backdoor components : login.bat. Hides processes and ports 14. chsh. LRK Rootkit: backdoors sshd & login programs Page 67-70 a. relies on hardware level protection c. executable copied to target and ran. Eradication: Format the drive. 17. windows gui Page 73-74 13. Containment: Analyze other systems changes made by discovered root kits. Loadable Kernel modules: (Unix) & Device Drivers (windows) Most Popular .9. View connections: python volatility connections –f path_to_dump Page 39 1.dll created. Don’t let attacker get root in first place. wtmp & lastlog 12. can use tools like Tripwire and AIDE. inetd. Kernel mode rootkits: a. chfn. Newer version hiding is automatically configured c. du. find. Attacker injects code in running process. ls.parentprocessid. Hiding: ps.exe. Password cant be found by strings c. Linux Rootkit hiding evidence tools: a. wted: allows for editing wtmp & utmp c. ifconfig. Attacker uses the config console to create executable. netstat. Password set by attacker. tcpd. b. use hashes to compare checksums on non writable medium. z2: erases utmp. top. Volatile Framework: Open source module written in python i.processed iv. Echo * vs ls 16. b. Windows User mode rootkits: DLL injection and API hooking. On live windows: tasklist /m /fi “pid eq [pid]” and wmic process where processed=[pid] get commandline USER MODE ROOTKITS: 66-82: (application Layer): Ring 3 10. Preperation: harden and patch system. Kernel mode is ring 0. Attack won’t show up in who command d. Uses a sniffer b. ” (dot space). 24. Tries to dodge rootkit detection tools: Blacklight and Icesword i.conf for log paths b.. if pid successfully open but the associated process cant be seen it alert possible rootkit. c.2 & 2. 2000/XP/2003: Available at www. /var/log/secure ii. Two Components: Adore the LKM and AVA. Editing Log files: logs are in ASCII format and able to be edited by hand Page 128-129 a. ls –a: will show the hidden file. c. Editing Shell history: . a.” . 25. Detection: Chkrootkit (linux). Some attackers add commands. Attackers can put the machine in a virtual environment.exe and NTLDR on windows. /var/log/httpd/error_log and access_log 29. Bootable Resposne CD’s such as Helix. Page 111 a. Runs entire kernel in user mode e. Vista kernel by hogging mem and writing kernel pages to hard disk. Virtualizing the system: Joanna’s Blue Bill uses the AMD virtualization instructions. Tripwire. Configured and controlled with a GUI. extends original code. Blacklight and Icesword call openprocess api for all possible processids. /usr/local/man . On windows both must be altered as the NTLDR does checksum on the NTOSKRNL d. /tmp .bash_history: Contains the last N commands ran.rootkit. AV. Windows NT rootkit does this. Focus on hiding stuff kernel 2. Comms on udp arbitrary ports grabbed by the kernel. /etc . Check /etc/syslog. 22. Changing Kernel File on the hard drive: /boot/vmlinuz on Unix and NTOSKRNl. Very dangerous and can leave the system unstable. b. Rootkit Revealer (Windows). Rootkit hunter (linux). “(dot.com FUTo: Update to FU. Creates a hidden process and everything done via it is in the hidden process SInAr: (Solaris 10 Kernel mode rootkit) Page 107-108 FU: Windows kernel mode root kit.21.name or . space) or just “ “. most delete commands . dot. 26.4 kernel that use loadable kern mods Page 100-105 a. VT-x (Vitriol) for intel. Survives reboot by altering an executable such as init e. /var/log/message iii. Hiding Files: simply name something with . Common logs and logs of interest: i. Defenses: Harden machines.4 & 2. Icesword. b. Adore Capabilities Page 97 KIS: (Kernel Intrusion System): targets 2. Altering Kernel in Memory: /dev/kmem (holds map of kernel memory) Windows (system memory map): SUCKit for linux and FU for windows does this. the program that interacts with the LKM b. i. name or even just “. 23. Runs user mode in kernel mode Adore: Another Linux Kernel mode rootkit. name taken Linux SU command Page 110 a. b..6 Page 96-98 a. FUTo removes reference to hidden process. Running programs directly in Kernel mode: KML (Kernel Mode Linux). Features Page 101 d. They are usually stored in: /dev . Backlight. Page 129-130 a. Receives command on network but don’t listen on a port. IDS / IPS Covering Tracks in LINUX: 124-146 27. Good Security Templates. /usr/src 28. Windows vista + gives ability to see them using dir /r. So to avoid this ungracefully log out by killing the shell killall bash 30. ICMPShell – Linux . Uses http get b. LADS: Allows you to see them in windows f. Attackers with admin access can delete logs fully or over fill logs with bogus info. hide malicious files in standard files. Default location /var/log/btmp. Linux can see them as well using smb and ADSs b.exe:stream1 or cp hackstuff. Requires perl. To extract: cp notepad. With physical access attackers can use a linux boot cd to edit the log file d.b.exe:stream1. could be rewritten.exe notepad. port and last login for each user. LOKI – Linux Shell b. Almost never used d. AppEvent. Client installed on victim Page 170-171 a. if users are not careful. Cant be edited by hand (utmp. 35. Streams and Streams Shell extension 32. Hiding Files in windows: (NTFS) Page 148-150 a.exe d. Utmp: “who command” contains info about current users that are logged in. Preparation: log to remote server. bypasses firewall. Event log files are: i.exe > notepad. c. looks like outbound web surfing. Default location /var/run/utmp b. SysEvent. Writes commands to log after graceful shell log out c. snare or kiwi to syslog for windows. Linux accounting files: Page 133-135 a. wtmp & btmp) Special tool like remove. WinZapper: edits windows logs on NT 4 and 2k. Default location /var/log/lastlog e. Reverse WWW Shell: Client / Server. Wtmp: contains data about past logins. ICMP Tunnels: Page 174-176 a. Similar tool is sneakin. To hide: type hackstuff.exe hackstuff. Hides size as well. works on xp and 2003 but a bit buggy. that looks like telnet. SecEvent.exe c. Bad to use as it may contain passwords. e. Identification: look for gaps or corrupt logs Covering tracks on the Network: Tunneling and covert channels Page 169-204 34.Evt iii.exe:stream1. Src port is 1024 dst port is 80. e. Lastlog: shows login name.c Covering tracks in Windows 31. Alternate data streams: multiple streams can can be attached. encrypt logs b. Connects to Attackers server and they will have a command line d. Log editing in windows: Default location %root%\SYSTEM32\CONFIG Page 153-158 a. Can use credentials c.Evt b. burn logs on a schedule. Default location /var/log/wtmp c. Btmp: contains data about bad login attempts. Meterpreter: clearev command: clears all logs 33. Defense: a. Attach to directory: notepad <file_or_directory_name>:<sctream_name> e.EVT ii. e. .PingChat – Windows Chat ICMPCmd – Windows cmd Ptunnel: Windows and Linux. Configure client with a port to get data from and a ultimate dest address 1. Has a client and proxy ii. Attacker makes connection to a the local port data Is sent to the proxy over ICMP and then to the final dst over TCP 36. TCP over ICMP echo and reply i. d. Covert Channels: Page 178-195 c.